Posted
by
CmdrTaco
on Thursday July 21, 2011 @08:23AM
from the wear-a-helmet dept.

GeekTech.in writes "The AnonymousIRC hacking organization have claimed this afternoon that they have hacked into NATO servers. As one of their tweets says: ' Yes, #NATO was breached. And we have lots of restricted material. With some simple injection. In the next days, wait for interesting data :) '"

This is happening so often that better make a hack.slashdot.org and just add the site that was hacked and when... this is getting old...

Agreed, but what I haven't seen is follow up stories about these breaches. I though Anonymous or LulzSec were due to release loads of News of the World/News International e-mails they'd obtained? Did I miss a story or are they still holding onto it?

Say what you want about wikileaks but they understood media/marketing. Releasing so much stuff so frequently makes it difficult for the media to absorb and create a media frenzy, which is the only way the plebes ever even hear about stuff like this.

Say what you want about wikileaks but they understood media/marketing. Releasing so much stuff so frequently makes it difficult for the media to absorb and create a media frenzy, which is the only way the plebes ever even hear about stuff like this.

That used to be true. Its not longer true. The largest media outlets created data warehousing applications which allow them to not only comb through these large data releases, but allows them to locate and follow trails of subject matter in which they are interested. It even allows them to discover sub topics, and so on.

Literally, if these groups claim they are not releasing all of their information because media can't digest it, its a lie and is only self serving.

Anyone else notice a lot of shit which Wikileaks was suppose to release was never released in spite of the fact people are still manning the shop? Wikileaks existed solely to benefit, blackmail, extort, and steal information. The fact the information was never released seems to hint it was sold to the highest bidder. Otherwise, according to their claims, a lot of CEOs should be jail by now.

Did the bank of america stuff ever get released? Wasn't that supposed to shed light on the whole economic meltdown and put people in jail and save the world and shit? Or did it get released and the news never picked up on it?

No, it was never released. Or I should say, if it has, I sure never read anything about it and I've been watching and looking. One thing I can tell you I'm absolutely sure of, if they have proof of collusion behind the economic meltdown, without a doubt, all roads lead to Goldman Sachs.

One time I set up snort on an open box thinking I'd set up a firewall to block hackers on the fly; then I realized that a veritable firehose of hacks were streaming in at all hours of the day and I'd have to block half the Internet to stop it. I gave up.

I'd like to hear about places that either prevented or blocked hacking from occurring JUST ONCE to show that the money spent on IT hasn't been completely wasted.

Not to feed the troll, but...

Places block/prevent hacking -constantly-, but that's not news.

If you spend some time monitoring the traffic on the outside interface of anywhere interesting, the number/variety of attempts are astounding.

Add to that the fact that the people on the inside (especially -not- the IT people) are incredibly apathetic, if not antagonistic toward security and it's really amazing that there aren't more successful attacks.

Most of this is just due to the ineptitude of IT in general, and lazy/bad coding techniques. Preventing SQL injection is elementary, yet LULZSEC and Anon seem to get a huge portion of their data by using it. The majority of the remainder of their data seems to come from social engineering, which IT departments should have weeded out a decade ago. The simple college computer lab support I did back in 2002 had explicit requirements for verification of identify before I did anything concerning accounts, securi

Lots of stuff gets stopped. Orders of magnitude more stuff gets stopped than actually gets through. No one cares about that. It's what we expect, shit is going on out int he Internet, we stop it from getting to our network. It's only when we fail that it's a story. Think about how crime statistics are reported: There were around 500 murders in New York City last year. That sounds horrible. What are the cops doing? Of course that means that approximately 8.2 million people (plus or minus tourists an

They arrested a few people stupid enough to use Low Orbit Ion Cannon to participate in the DDOS attack against PayPal and MasterCard/Visa sponsored by Anonymous. The mainstream media probably does think that's all of them.

I certainly don't want to provoke anyone, but I wonder how long it will take until they hack gmail and other cloud-based services, and put all the data into the open?Thanks to these guys, I'm not so sure anymore whether I like this idea of the cloud.

Hackers target smb [wsj.com] references this exact issue - lulz/anon are harmless. Everyone sees the big headlines but its thousands of small businesses that are getting their data stolen every day and left with no ability to recover.

Granted, you make your own mess when you hire the $20/hour web guy out of college who thinks that online transactions are safe because he used magento out of the box, but the real hacking is occuring daily and there's no way to stop it, or even properly monitor it. Even when these are

This argument seems a lot like saying 'your house is just as flammable as it ever was', right after an arsonist torched the place. Ultimately everything has to be a trade off between usability and convenience, and security. Similarly with stuff like wikileaks, we expect that there should be mechanisms by which specific crimes might be exposed to the public over and beyond conventional security policy. But when these holes are publically exploited, then they have a number of spill-off effects.

I think that's kinda their point.Security is easy, very easy. The fact that none of these huge companies or government agencies can do rudimentary things to secure their sites should scare you. Hackers should keep plucking away at them until they either secure their sites or take them down entirely. Hacking should be legal, it's the only thing that tells us if a site is secure from the real bad guys... the ones that don't publish their results.

> I certainly don't want to provoke anyone, but I wonder how long it will take until they hack gmail and other cloud-based services, and put all the data into the open?

Well, given the fact that gmail now allows over 7.5GB of storage per account, hackers stealing a single GB of data probably wouldn't affect that many users. Of course that doesn't make it right, but it does limit the damage somewhat.

In general at least groups like anon and luzlsec have been fairly weak attacks targeted at poorly secured pages with vulnerabilities that are years old. Mainly I think they are pointing out that the security of these places is pathetic, rather then nothing is secure. Google has an incredible track-record for deflecting large scale attacks. I'm not saying they are invincible, but they do actually seem to know what they are doing.

Your 2-step authentication does nothing when the servers themselves are compromised. Luckily I have nothing but my own personal financial information at risk which is completely worthless to a foreign government and a dime a dozen in the hacking/cracking circles.

I have heard of hacks for other sites that use two step authentication that install themselves as browser add-ons and slurp the cookie typed in. Then the blackhat is able to add or remove the second factor authentication, change the password and the account is theirs.

The first line of defense is making sure your endpoint is secure. Compromise that and the game is up, regardless of what authentication one has.

Everyone is hacking into government computers and learning the secrets of the government oh noes. I have government data on my computer maybe more than some of these hackers claim to have liberated here is the catch. Gov data is very boring. For example my latest gov communique was plans for a building with a rotten roof. Yes I have to look at it and bid on repairing. I think the government is running out of terrorist and need a new batch of international terrorists with computers. You are not safe they ca

I know, it's a stupid question but I have to ask it. Why are government and military servers and computers that store sensitive data connected to the internet at all. Shouldn't they be on isolated local networks only?

I know, it's a stupid question but I have to ask it. Why are government and military servers and computers that store sensitive data connected to the internet at all. Shouldn't they be on isolated local networks only?

Because government agencies cooperate and share information routinely over very large distances with their personnel in different states and with agencies of other states as well. NATO is a very large organization comprising of 28 states. This means the military and intelligence agencies of 28 states cooperate with at least a fair degree of regularity, often across the ocean. Each state more than likely has their own internal information and communication system, yes. But to get each member state to agr

Yep. Remember that Wikileaks needed someone on the inside to get the information. I find it highly unlikely that Anonymous got any really important documents. Sure, maybe they were marked classified. That doesn't mean shit.

"Restricted", "sensitive", and "secret" material is low level. That is the level of material that everyone in the military and government bureaucracy has access to. It is the sort of stuff that is either not very sensitive (ie enemy agents could figure it out easily just from observing a base or similar) or has only a small window in which it is useful (ie by the time the enemy could react it would be too late).

These days with the adversarial government/media relationship tons of material is classified like this just to discourage the media from baking scandals, and to prevent citizens from finding out about legitimate scandals (at least in the short term).

What was accessed in this case was probably some boring inter-NATO administrative emails, with the most interesting stuff being up-coming exercises and the like.

The stuff that Wikileaks released that inspired this spate of hackings WAS from an air-gapped computer.

"Restricted", "sensitive", and "secret" material is low level. [...] It is the sort of stuff that is either not very sensitive (ie enemy agents could figure it out easily just from observing a base or similar) or has only a small window in which it is useful (ie by the time the enemy could react it would be too late).

As an example: Recall the grad student who compiled a map of the USA's fiber infrastructure?His master's thesis was classified and the Feds pulled all his citations from public access.Another example: The plane spotters who log tail numbers and figured out the CIA's network of private rendition jets.

Because there's no point in having a massive intelligence network if your people can't access the info. And it's really not practical to have to travel to a very specific office somewhere to get the data.

All your personal data (and mine) is available in a couple of thousand offices too... and can therefore be hacked as well.

They *don't* have sensative data stored on networks accessable to the internet. I certainly believe its possible for a NATO web server to contain 1GB of documents... The same kind of crap that you find on publicly owned company intranets, documents and documents of rambling and meeting minutes and useless garbage stored because they're being transparent to the public. For all we know at this point Anonymous *hacked* a bunch of files that were accessible by a internal search engine to the site.

By now, with all that happened in the last 6 months on this front, you would have though that any computer holding sensitive information was already moved behind an air gap. That IT security experts would have learned that they cannot protect their networks against attack as long as the network is opened to the outside world.

Either people do not learn, or they are really way to slow at making things change...

Well, is the data that sensitive? Here is one they released:
http://pdfcast.org/pdf/nato-1 [pdfcast.org]
Old and dull.
And Sabu yesterday claimed they were about to release a bunch of Sun emails. Now they say they won't. There's a bit more smoke than fire.

Yah maybe if there were actually real threats that NATO was needed for... they might take security seriously. Given that they are just an excuse for nations to dump money into military contractor pockets (much like the US military who hasn't fought a real threat since the early 40s)... well why should they give a shit?

Intrusions? Data gets lost? Clearly that means they need more budget. This will be a windfall for them.

Meh, "sensitive" is relative. Let me know when it's proven that there's actually some meaningful scandalous data here. Otherwise it's just a "Look what I can do!" Anything the military does or buys is considered sensitive by default. It's silly really.

How is it that all these different sites keep getting hacked? I mean, NATO doesn't have access to experts in internet security that are able to defend against these attacks?

I'm not in the field, obviously, and I know that things are always evolving, but it seems to me that there needs to be more layers in web security. Also, why is there not more encryption on sensitive data? Is encryption more costly if it's more complex?

I can understand when a corporation gets hacked, they're going cheap on web security because of the costs. But one would think that truly sensitive information with major geopolitical players would be buttoned up pretty damn tight.

The thing is, they are not picking targets and then hacking them, rather they are mass scanning to see what is vulnerable then picking through the list to find stuff they find interesting. With that said, you would expect a military organization not to be the "low hanging fruit".

If governments were more open and didn't try to keep so many secret, it wouldn't be so bad if they got hacked. By definition, if there were no secrets, they'd be nothing to hack. Perhaps this a motivation behind the attacks by Anonymous: they want to show governments that keeping secrets is no longer worthwhile.

I think future governments have three choices: 1. Pay the cost of maintaining highly secure systems to keep their secrets (which can never be guaranteed) 2. endure the costs of their secrets being di

Makes you wonder though... what would the world be like if people were actually held responsible for their actions and were not able to do things anonymously. Wouldn't that mean that Anonymous should eventually be self exposing?

Plenty of people join with nothing but the best intentions; if you think the guys actually pulling the trigger in that video don't lose sleep over it I don't think you know many soldiers. If you simply must condemn someone for that video, by all means - go after the people who attempted to cover it up. Not the poor guys who had to find out after watching the news that they killed innocent men.

War is cruelty. There is no use trying to reform it. The crueler it is, the sooner it will be over. - William T. Sherman

Of course the majority of people have nothing "but the best intentions" at heart.

However, my point was if we're going to start attempting to make these "anon" people start owning up for their actions let's start with the ones committing actual atrocities. You know the ones covering up the things Anon uncovers.

And I'm not sure if we watched the same video, but the boys in that one firing the guns didn't seem too hesitant about killing those people. I don't think they're losing any sleep.

My boyfriend is in the marines (gay), so I know a few people in the forces (now that that's out of the way).

That's awesome, actually. Well, thank him for/that/ particular service, has to be rough if he's open about it.

Like I said... I'm biased... I look at a lack of hesitation as good training. I heard a saying in basic - "Ready, aim, fire, yours, theirs, bodycount and regrets - in that order." and while we could argue all day about the morality of striking targets with no feasible means of fighting back (foot vs chopper) they did everything according to procedure - a procedure that's designed to protect you

It's not my "brave new world"... I like a bit of anonymity/privacy. I read something about someone's utopia a while back and one of their requirements was total lack of anonymity. I couldn't figure out why it was a requirement for their utopia, but their only rationality for it was crime.

I'm sympathetic to the notion of full transparency. In a surveillance society you can see that everyone else is human too, and that they do stuff while you're not watching. As reality is even wackier than fiction, I imagine that it would pretty much kill ordinary television, too. On the other hand, I don't believe in governments that don't try to overstep their bounds, which is why I too prefer a world with privacy. Ultimately I don't believe we'd ever get to actually see what everyone was doing all the tim

A reasonable state should provide for decreasing levels of privacy as your power increases. For example, those with significant power to sway opinion—politicians, celebrities, etc.—should have much less right to privacy than Joe Random. Indeed, this is the way our privacy laws are structured today.

Where our privacy laws break down is when it comes to corporate privacy and government privacy—the privacy of large groups acting as a single hive mind. These groups should have almost no privacy because they have much greater power than the average citizen. Unfortunately, this is seldom the case, and this is the problem that needs to be fixed—not reducing the privacy of individuals, but rather reducing the privacy of individuals in their official capacity while working together in large groups. That's not very easy to do, though, at least without decreasing their privacy as individuals, which is why things go horribly wrong (whether because you gave them too much privacy and got corruption or too little privacy and got MonicaGate absurdity).

I tend to lean on the side of targeted laws in this area—sunshine laws, open records laws, open meetings laws, etc. When these are insufficient, the flaws should be corrected. When these are ignored, the perpetrators should do jail time to serve as an example to others. If this were happening consistently, we'd have a lot fewer problems with our democracy.

I know you're AC, but seriously, the US government kills innocent people every day of the week. And yet people are concerned about whether the release of a given set of information (perhaps about said killing) will get one person killed. Can I get a re-working of priorities up in here?

but seriously, the US government kills innocent people every day of the week.

Except the US government does not intentionally go after unarmed civilians (and no, do not bring up WW2 or Vietnam as counterexamples of that). We don't bomb crowded markets or restaurants, we use precision guided weapons to limit collateral damage as much as possible(and yes, also because 1 bomb is usually cheaper than 50). We train our soldiers to identify hostile targets and not fire indiscriminately. The people we are fighting use civilians as human shields. Our soldiers use themselves to shield civ

And it's not like it's a new thing, there's a huge history of civilian deaths during EVERY invasions/wars.

Fixed that for you. Civilians have always died and suffered from war. But no government in history has gone to such lengths and measures and the US and other Western governments have in trying to prevent innocent deaths in the legal and cultural environments of their respective militaries. And remember this, for the last 70 years, these soldiers have been risking their lives to protect civilians not of their own state, but of whichever state they are fighting in. They have no connection to these people

Incompetent developers. I haven't read everything, but my impression is that Anonymous and LulzSec simply used SQL injection for many of their cracks, which is something that any competent web developer should know how to prevent without even trying.

How many other corrupt nations do you see with a military presence in half the other countries in the world? I'm sure if, say Germany, was transitioning to a full fledged Corporatocracy bent on nation building in the middle east and exploiting 3rd world laborers the world over you would see them get a focus, too.

Yeah, right. How dare corporations give them a job that isn't up to 1st world standards! The fact that they take these jobs just shows how badly they need work, and it is wrong to give people a job if it isn't a great one. Better to make it so expensive that it isn't worth it to have the factories there at all, leaving them without 1st world knowledge, resources or money to dig themselves out of their current wretched state. Nevermind the industrialization of 1st world countries was pretty brutal. I want to

China is already starting to develop its own brand of imperialism. They're buying lots of dirt cheap land in Africa in order to guarantee their own food supply, for example. Not to mention the amount of stuff in the US and Europe that they already own. China is every bit as corporatist as the US.